Security News > 2021 > July > Critical Vulnerability Found in Sunhillo Aerial Surveillance Product
An unauthenticated OS command injection vulnerability in the Sunhillo SureLine application could allow an attacker to execute arbitrary commands with root privileges, according to security researchers with the NCC Group.
Sunhillo is an established name in aerial vehicle surveillance and tracking, and SureLine represents the core software that powers the company's surveillance tools and products.
Tracked as CVE-2021-36380, the critical OS command injection flaw that NCC Group's Liam Glanfield discovered could allow an attacker to establish an interactive channel with the affected device, taking control of it.
Cgi script, which "Directly incorporated user-controllable parameters within a shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input," Glanfield explains.
Command injection was possible using $() and running the arbitrary commands within the parenthesis.
The vulnerability was reported to Sunhillo on June 21 and a patch was released on July 22, in Sunhillo SureLine version 8.7.0.1.1.
News URL
Related news
- Elastic Releases Urgent Fix for Critical Kibana Vulnerability Enabling Remote Code Execution (source)
- Moxa Issues Fix for Critical Authentication Bypass Vulnerability in PT Switches (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- New Critical AMI BMC Vulnerability Enables Remote Server Takeover and Bricking (source)
- IBM scores perfect 10 ... vulnerability in mission-critical OS AIX (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks (source)
- Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-13 | CVE-2021-36380 | OS Command Injection vulnerability in Sunhillo Sureline Sunhillo SureLine before 8.7.0.1.1 allows Unauthenticated OS Command Injection via shell metacharacters in ipAddr or dnsAddr /cgi/networkDiag.cgi. | 9.8 |